• Home
  • News
  • Data Protection update - April 2017

02 May 2017

Data Protection update - April 2017


Welcome to the April 2017 edition of our Data Protection update, our monthly review of key developments in Data Protection law. As always, please do let us know if you have any feedback or suggestions for future editions. 

Data protection

Cyber security

ICO enforcement


Data Protection

EU-US Privacy Shield review now promised for September

Věra Jourová, the EU Commissioner for Justice announced, during her visit to the US to discuss the EU-US Privacy Shield with the new US administration, that the first annual joint review of the Privacy Shield will take place in September 2017.

This confirmation comes after the adoption by the European Parliament of a non-legislative resolution calling on the European Commission to conduct a proper assessment and ensure the Privacy Shield complies with the EU Charter on Fundamental Rights and the GDPR.

According to Claude Moraes, the Civil Liberties Committee Chair, the Privacy Shield clearly has insufficiencies "that remain to be urgently resolved". Members of the European Parliament expressed concern about new rules introduced in January 2017 allowing the US National Security Agency to share vast amounts of personal data collected without oversight with 16 other agencies including the Federal Bureau of Investigation. More recently, in March 2017, the US Senate and the House of Representatives overturned rules to protect broadband customers' privacy (see the story below for more information). Further concerns have been raised in relation to the lack of sufficient independence of the ombudsperson mechanism and the fact that there is still no effective judicial redress for individuals in the EU whose personal data is transferred to the US.


EU consultation on Data Protection Impact Assessments

The EU Article 29 Working Party has released proposed guidelines on Data Protection Impact Assessments (DPIAs) and is inviting comments. The guidelines are detailed and contain practical questionnaires, FAQs and references to real life examples (you can access these draft guidelines here).

Once the GDPR comes into force on 25 May 2018, conducting DPIAs will be mandatory when processing is likely to result in a "high risk" to the rights and freedoms of individuals. Under the GDPR, failure to carry out a DPIA where necessary, carrying out a DPIA in an incorrect way or failing to consult the competent supervisory authority (e.g. the ICO) where required, could each result in fines of 10 million euros or up to 2% of the total worldwide annual turnover, whichever is higher.

The draft guidance is currently open for comment and views can be submitted to the following email addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr before 23 May 2017.


Government calls for views on GDPR derogations

The UK Department of Culture, Media & Sport (DCMS) has launched a call for views on national derogations from the GDPR. Whilst the GDPR will be directly applicable in all EU member states from 25 May 2018, the GDPR does contain 14 areas where national derogations are possible including: sanctions; demonstrating compliance; third country transfers; sensitive personal data and exceptions; criminal convictions; rights and remedies; processing of children's personal data by online services; and freedom of expression in the media.

UK stakeholders are invited to submit their views through the DCMS online tool in order to assist the DCMS in formulating an informed derogations policy. The relevant GDPR articles will be listed under one of the 14 categories (e.g. "sanctions" or "sensitive personal data"). Respondents are not obligated to respond to every article that is listed; only to those for which they have concerns. The closing date for responses is 10th May 2017. We will update you as and when further clarity as to proposed UK derogations are announced.


Article 29 Working Party updated GDPR guidelines

Following a consultation period, the Article 29 Working Party (WP29) has now issued final guidelines on:

  • Data Protection Officers;
  • Data Portability; and
  • The Lead Supervisory Authority

The guidelines provide further clarification on certain issues in relation to Data Protection Officers and Data Portability. As such, our summaries first published in our December 2016 bulletin have been updated accordingly. For more information on Data Protection Officers, Data Portability or an organisation's Lead Supervisory Authority, please click here, here and here.

Further guidance is expected from the Article 29 Working Party later this year about a number of GDPR related issues, including administrative fines, transparency, and personal data breach notification obligations.


Article 29 Working Party publishes opinion on draft E-Privacy Regulation

The implementation of the GDPR may be dominating headlines in the Data Privacy world but the landscape is set to change further with the introduction of an ePrivacy Regulation (the ePrivacy Regulation) to replace the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Directive).

The WP29 has published its opinion on the draft ePrivacy Regulation, and outlines some notable changes in the current draft proposal including tighter marketing rules and a wider scope of activities affected. The ePrivacy Regulation also incorporates the GDPR’s highest fines of up to €20 million, or 4% of worldwide turnover for certain breaches of the ePrivacy Regulation.

In its opinion the WP29 outlines the following four key areas of concern which it considers could undermine the level of protection provided by the GDPR:

  • The right to track information emitted by terminal equipment, including location data, by Wi-Fi or bluetooth – the WP29 believes these proposed tracking rights should be substantially narrowed;
  • The conditions under which analysis of content and metadata is permitted - metadata and content is not currently accorded the same high level of protection, and the WP29 believe that it should be, as both categories of data could be highly sensitive;
  • The default settings of terminal equipment and software - the WP29 considers that terminal equipment and software must by default discourage, prevent and prohibit unlawful interference with it and provide information about available options; and
  • Tracking walls - the WP29 want the ePrivacy Regulation to explicitly prohibit the practice whereby access to a website or service is denied unless individuals agree to be tracked on other websites or services.

In relation to each concern, the WP29 set out suggestions for ways in which the ePrivacy Regulation could provide the same protection as the GDPR or a higher level of protection more appropriate to the sensitive nature of electronic communications data.

This proposal is just the beginning of the process, and the specifics are likely to evolve as we move forward. EU legislators have given themselves a tough deadline of May 2018 to implement the ePrivacy Regulation at the same time as the GDPR. With just over 13 months to go, the next step is for the European Parliament and the European Council to each review the draft ePrivacy Regulation and form their own view on what it should say, before coming together towards the end of 2017 to agree the final text.

To read the opinion, please click here.


High Court rules that DPA 1998 journalism exemption is compatible with Data Protection Directive

The High Court has ruled that the Data Protection Act 1998 (DPA), which allows an exemption to certain data protection obligations if the previously-unpublished data was used solely for journalistic, literary or artistic purposes (the "special purposes"), is compatible with the EU Data Protection Directive (95/46/EC). Article 9 of the Directive allows EU member states to derogate from the data protection rules in the interest of journalistic freedom, but only if the derogations are "necessary to reconcile the right to privacy with the rules governing freedom of expression."

The claim in question was brought by a businessman, Mr Stunt, who is married to the daughter of former Formula One chairman Bernie Ecclestone who claimed damages and/or an injunction for misuse of private information, harassment, and breaches and threatened breaches of the DPA. The defendant, Associated Newspapers Ltd (ANL) the owner of the Daily Mail, the Mail on Sunday and the Mail Online, applied for a stay of the proceedings to prevent the case going forward, on the basis that the data was used solely for the "special purposes" and was therefore exempt from certain restrictions on processing under section 32 of the DPA.

The case hinged upon the question of whether each of the special purposes was compatible with a legitimate balancing of (i) privacy rights under the Directive and (ii) rights of freedom of expression under Article 10 of the European Convention of Human Rights. The High Court ruled that it was, and that the special purposes were compatible with Article 9 of the Directive.

To read the judgment, please click here.


ASA rules marketing email sent without consent despite third party marketing opt-in

The Advertising Standards Authority (ASA) has ruled that clothing company, Lands' End Europe Ltd, violated the Committee of Advertising Practice Code (CAP Code) when it sent unsolicited advertisements to a consumer who had not explicitly consented to receiving marketing communications from them.

The complainant had submitted their contact details to the partner website of a company called Clic-Plan, opting in to being contacted by a "network of affiliate partners". This personal data was then supplied to an email re-targeting agency hired by Lands' End which sent out the communications on behalf of Lands' End. Lands' End unsuccessfully argued that the complainant had explicitly opted in to receive marketing communications from them.

The ASA ruled that ticking an opt-in box on the partner website to be contacted by "affiliate partners" did not make clear the nature of the partner companies which might contact the complainant, nor the type of communication that would be sent to him. Furthermore, there was no clear connection between the type of products provided by Lands' End and those for which the complainant had signed up. As such, the complainant could not reasonably have anticipated receiving the communication from Lands' End as a result of submitting his information to the partner website and the complainant had therefore not given his explicit consent.

This case goes to show that, when it comes to complying with data protection law or marketing/advertising rules, companies should be wary of the ASA as well as the Information Commissioner's Office (ICO), since the ASA is also authorised to impose certain sanctions and in some cases could refer the matter to OFCOM to issue a fine.


President Trump clears the way for internet providers to sell web browsing history

President Trump has signed a new law which allows internet companies in the United States to sell individuals' browsing history. This overturns broadband privacy rules introduced in 2016 by the Federal Communications Commission (FCC), which required internet service providers (ISPs) to get customers' permission before sharing their browsing history with other companies. The Obama-era FCC rules were due to come into effect at the end of 2017, but the legislation has now been repealed. This means ISPs will now be free to track internet users’ browsing behaviour and sell that data to advertisers without obtaining the users’ consent.

The move has been criticised by privacy advocates who have argued that the new bill means not only are the privacy rules repealed, but the FCC is now restricted from enacting similar rules protecting internet users’ browsing history.


Cyber security

Wonga loses the personal data of 245,000 UK customers

More than a quarter of a million customers of payday loan firm Wonga are being warned that their personal data may have been stolen in a data breach at the company.

The online lender said it was "urgently investigating illegal and unauthorised access" to the personal data of some of its customers in the UK and Poland. It is understood that the breach could affect up to 270,000 current and former customers, including 245,000 in the UK. Although Wonga has not released any information on the number of people impacted or the specific reason for the breach, it did state on its website that "cyber attacks are, unfortunately, on the rise. While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated."

It is clear that hacking incidents are becoming a common hazard for companies whose databases hold large volumes of data that is attractive to hackers, such as card or bank account details and cyber security defence strategies are therefore vital.


ICO enforcement

ICO fines Flybe and Honda for unsolicited marketing email

Regional airline Flybe and Honda Motors have been fined £70,000 and £13,000 respectively for breach of the Privacy and Electronic Communications Regulations (PECR).

Flybe had sent 3.3 million marketing emails to individuals on its database an e-mail titled "Are your details correct?", advising them to amend any out of date information and update marketing preferences. There was also an opportunity to enter a prize draw. However, Flybe sent the email to people who had previously opted out of receiving marketing e-mails from the company, breaching the PECR. Honda Motor Europe Ltd was also fined after a separate ICO investigation found similar breaches.

Steve Eckersley, ICO Head of Enforcement, said: "Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law. In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them."

For more information, please click here and here.


ICO fines 11 charities for failing to follow data protection rules

We reported in January that the Royal Society for the Prevention of Cruelty to Animals and the British Heart Foundation were fined for secretly screening millions of their donors in order to target them for more donations. As the ICO continues its crack-down on charities, a further 11 charities including Cancer Research UK, Cancer Support UK, Macmillan Cancer Support, NSPCC and Great Ormond Street Hospital Children's Charity have each been fined between £6,000 and £18,000 for failing to comply with data protection rules.

As well as screening millions of donors to target them for additional funds, it was also discovered that some of the charities traded personal details with other charities, creating a large pool of donor data for sale. Some of the charities had also hired companies to profile the wealth of their donors, which was done by investigating their incomes, lifestyles, property values and friendship circles amongst other means.

For more information, please click here.


ICO issues fines totalling £220,000 to nuisance marketing firms

Separate ICO investigations have resulted in PRS Media, trading as Purus Digital, being fined £140,000 for sending around 4.4 million spam texts and Xternal Property Renovations being fined £80,000 for making over 109,000 nuisance phone calls to people registered with the Telephone Preference Service (TPS). The company failed to screen the list of people it planned to call against the details of TPS subscribers and failed to make sure its staff knew how to comply with data protection law.

For more information please click here.




Alison Llewellyn

Alison Llewellyn

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London

  • Related Services
  • Related Sectors
  • Related Locations